> From: James Morris <[EMAIL PROTECTED]> > Date: Thu, 5 Oct 2006 16:54:38 -0400 (EDT) > > > > #ifdef CONFIG_XFRM_SUB_POLICY > > > pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_SUB, > fl, family, dir); > > > - if (pol) > > > + if (IS_ERR(pol)) { > > > + err = PTR_ERR(pol); > > > + pol = NULL; > > > + } > > > + if (pol || err) > > > goto end; > > > > Similarly, if the sub-policy lookup returns -EACCESS, > should we then try a > > main policy lookup before failing? > > We're trying to fill the flow cache here. In the case where we'd > have a match in both the sub-policy and main table, I think the > sub-policy is supposed to take precedence, and if you fail to get > this sub-policy you should fail the entire lookup.
Which is what's happening here correct? > > The way the sub-policied entries work is that you find the sub-policy > as the primary object in the flow cache, and once you notice you have > a sub-policy you do an explicit lookup in the main table to put the > whole thing together. May be James can help me understand this; when exactly would a sub-policy be "notice"d here? What does "put the whole thing together" mean? - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html